[system-administrators-guide] Update after chapter review
stephenw
stephenw at fedoraproject.org
Mon Dec 1 21:33:19 UTC 2014
commit c10fa36bc5fe6ade9e68b2e27b81bb78aa1f4ddc
Author: Stephen Wadeley <swadeley at redhat.com>
Date: Mon Dec 1 22:31:33 2014 +0100
Update after chapter review
thank you Laura Bailey
en-US/The_Apache_HTTP_Server.xml | 128 +++++++++++++++++++-------------------
1 files changed, 63 insertions(+), 65 deletions(-)
---
diff --git a/en-US/The_Apache_HTTP_Server.xml b/en-US/The_Apache_HTTP_Server.xml
index 4ae24a3..fe684eb 100644
--- a/en-US/The_Apache_HTTP_Server.xml
+++ b/en-US/The_Apache_HTTP_Server.xml
@@ -21,7 +21,7 @@
<tertiary>changes</tertiary>
</indexterm>
<para>
- The Apache HTTP Server version 2.4 has the following changes:
+ The Apache HTTP Server version 2.4 has the following changes compared to version 2.2:
</para>
<variablelist>
@@ -29,15 +29,13 @@
<term>httpd Service Control</term>
<listitem>
<para>
-With the migration away from SysV init scripts, server administrators should switch to using the <command>apachectl</command> and <command>systemctl</command> commands to control the service, in place of the <command>service</command> command. The following examples are specific to the <systemitem class="daemon">httpd</systemitem> service.
+With the migration away from SysV init scripts, server administrators should switch to using the <command>apachectl</command> and <command>systemctl</command> commands to control the service, in place of the <command>service</command> command. The following examples are specific to the <systemitem class="daemon">httpd</systemitem> service.</para>
+<para>
The command:
<synopsis>service httpd graceful</synopsis>
is replaced by
<synopsis>apachectl graceful</synopsis>
-The command:
-<synopsis>service httpd configtest</synopsis>
- is replaced by
- <synopsis>apachectl configtest</synopsis>
+
The <systemitem class="daemon">systemd</systemitem> unit file for <systemitem class="daemon">httpd</systemitem> has different behavior from the init script as follows:
<itemizedlist>
<listitem>
@@ -51,7 +49,13 @@ The <systemitem class="daemon">systemd</systemitem> unit file for <systemitem cl
</para>
</listitem>
</itemizedlist>
-
+
+The command:
+<synopsis>service httpd configtest</synopsis>
+ is replaced by
+ <synopsis>apachectl configtest</synopsis>
+
+
</para>
</listitem>
</varlistentry>
@@ -69,26 +73,23 @@ To enhance system security, the <systemitem class="daemon">systemd</systemitem>
<term>Configuration Layout</term>
<listitem>
<para>
-Configuration files which load modules are now placed in the <filename class="directory">/etc/httpd/conf.modules.d</filename> directory. Packages, such as <package>php</package>, which provide additional loadable modules for <systemitem class="daemon">httpd</systemitem> will place a file in this directory. Any configuration files in the <filename class="directory">conf.modules.d</filename> are processed before the main body of <filename>httpd.conf</filename>. Configuration files in the <filename class="directory">/etc/httpd/conf.d</filename> directory are now processed after the main body of <filename>httpd.conf</filename>.</para>
+Configuration files which load modules are now placed in the <filename class="directory">/etc/httpd/conf.modules.d</filename> directory. Packages that provide additional loadable modules for <systemitem class="daemon">httpd</systemitem>, such as <package>php</package>, will place a file in this directory. Any configuration files in the <filename class="directory">conf.modules.d</filename> directory are processed before the main body of <filename>httpd.conf</filename>. Configuration files in the <filename class="directory">/etc/httpd/conf.d</filename> directory are now processed after the main body of <filename>httpd.conf</filename>.</para>
<para>
Some additional configuration files are provided by the <package>httpd</package> package itself:</para>
<itemizedlist>
<listitem>
<para>
- <synopsis>/etc/httpd/conf.d/autoindex.conf</synopsis>
- This configures mod_autoindex directory indexing.
+ <filename>/etc/httpd/conf.d/autoindex.conf</filename> — This configures mod_autoindex directory indexing.
</para>
</listitem>
<listitem>
<para>
- <synopsis>/etc/httpd/conf.d/userdir.conf</synopsis>
- This configures access to user directories, for example, <literal>http://example.com/~username/</literal>; such access is disabled by default for security reasons.
- </para>
+ <filename>/etc/httpd/conf.d/userdir.conf</filename> — This configures access to user directories, for example, <literal>http://example.com/~username/</literal>; such access is disabled by default for security reasons.
+ </para>
</listitem>
<listitem>
<para>
-<synopsis>/etc/httpd/conf.d/welcome.conf</synopsis>
- As in previous releases, this configures the welcome page displayed for <literal>http://localhost/</literal> when no content is present.
+<filename>/etc/httpd/conf.d/welcome.conf</filename> — As in previous releases, this configures the welcome page displayed for <literal>http://localhost/</literal> when no content is present.
</para>
</listitem>
@@ -100,16 +101,16 @@ Some additional configuration files are provided by the <package>httpd</package>
<term>Default Configuration</term>
<listitem>
<para>
-A minimal default <filename>httpd.conf</filename> is now provided by default. Many common configuration settings, such as <literal>Timeout</literal> or <literal>KeepAlive</literal> are no longer explicitly configured in the default configuration; hard-coded settings will be used instead, by default. The hard-coded default settings for all configuration directives are specified in the manual. See <xref linkend="s3-apache-resources-installed" /> for more information.
+A minimal <filename>httpd.conf</filename> file is now provided by default. Many common configuration settings, such as <literal>Timeout</literal> or <literal>KeepAlive</literal> are no longer explicitly configured in the default configuration; hard-coded settings will be used instead, by default. The hard-coded default settings for all configuration directives are specified in the manual. See <xref linkend="s3-apache-resources-installed" /> for more information.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>Configuration Changes</term>
+ <term>Incompatible Syntax Changes</term>
<listitem>
<para>
-A number of backwards-incompatible changes to the <systemitem class="daemon">httpd</systemitem> configuration syntax were made which will require changes if migrating an existing configuration from <application>httpd 2.2</application> to <application>httpd 2.4</application>. See the following Apache document for more information on upgrading <ulink url="http://httpd.apache.org/docs/2.4/upgrading.html" />
+If migrating an existing configuration from <application>httpd 2.2</application> to <application>httpd 2.4</application>, a number of backwards-incompatible changes to the <systemitem class="daemon">httpd</systemitem> configuration syntax were made which will require changes. See the following Apache document for more information on upgrading <ulink url="http://httpd.apache.org/docs/2.4/upgrading.html" />
</para>
</listitem>
</varlistentry>
@@ -121,14 +122,14 @@ A number of backwards-incompatible changes to the <systemitem class="daemon">htt
<para>
In previous releases of &MAJOROS;, different <firstterm>multi-processing models</firstterm> (<acronym>MPM</acronym>) were made available as different <systemitem class="daemon">httpd</systemitem> binaries: the forked model, <quote>prefork</quote>, as <filename>/usr/sbin/httpd</filename>, and the thread-based model <quote>worker</quote> as <filename>/usr/sbin/httpd.worker</filename>.</para>
<para>
-In &MAJOROSVER;, only a single <systemitem class="daemon">httpd</systemitem> binary is used, and three MPMs are available as loadable modules: worker, prefork (default), and event. The configuration file <filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename> can be changed to select which of the three MPM modules is loaded.</para>
+In &MAJOROSVER;, only a single <systemitem class="daemon">httpd</systemitem> binary is used, and three MPMs are available as loadable modules: worker, prefork (default), and event. Edit the configuration file <filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename> as required, by adding and removing the comment character <literal>#</literal> so that only one of the three MPM modules is loaded.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Packaging Changes</term>
<listitem>
<para>
-The LDAP authentication and authorization modules are now provided in a separate sub-package <package>mod_ldap</package>. The new module <application>mod_session</application> and associated helper modules are provided in a new sub-package, <package>mod_session</package>. The new modules <application>mod_proxy_html</application> and <application>mod_xml2enc</application> are provided in a new sub-package, <package>mod_proxy_html</package>.
+The LDAP authentication and authorization modules are now provided in a separate sub-package, <package>mod_ldap</package>. The new module <application>mod_session</application> and associated helper modules are provided in a new sub-package, <package>mod_session</package>. The new modules <application>mod_proxy_html</application> and <application>mod_xml2enc</application> are provided in a new sub-package, <package>mod_proxy_html</package>.
</para>
</listitem>
</varlistentry>
@@ -136,27 +137,24 @@ The LDAP authentication and authorization modules are now provided in a separate
<term>Packaging Filesystem Layout</term>
<listitem>
<para>
-The <filename class="directory">/var/cache/mod_proxy</filename> directory is no longer provided; instead, the <filename class="directory">/var/cache/httpd/</filename> directory is packaged with a <literal>proxy</literal> and <literal>ssl</literal> subdirectory.
+The <filename class="directory">/var/cache/mod_proxy/</filename> directory is no longer provided; instead, the <filename class="directory">/var/cache/httpd/</filename> directory is packaged with a <literal>proxy</literal> and <literal>ssl</literal> subdirectory.
</para>
<para>
Packaged content provided with <systemitem class="daemon">httpd</systemitem> has been moved from <filename class="directory">/var/www/</filename> to <filename class="directory">/usr/share/httpd/</filename>:
<itemizedlist>
<listitem>
<para>
- <synopsis>/usr/share/httpd/icons/</synopsis>
- The <filename class="directory">/var/www/icons/</filename> has moved to <filename class="directory">/usr/share/httpd/icons</filename>. This directory contains a set of icons used with directory indices. Available at <literal>http://localhost/icons/</literal> in the default configuration, via <filename>/etc/httpd/conf.d/autoindex.conf</filename>.
+ <filename>/usr/share/httpd/icons/</filename> — The directory containing a set of icons used with directory indices, previously contained in <filename class="directory">/var/www/icons/</filename>, has moved to <filename class="directory">/usr/share/httpd/icons</filename>. Available at <literal>http://localhost/icons/</literal> in the default configuration; the location and the availability of the icons is configurable in the <filename>/etc/httpd/conf.d/autoindex.conf</filename> file.
</para>
</listitem>
<listitem>
<para>
- <synopsis>/usr/share/httpd/manual/</synopsis>
- The <filename class="directory">/var/www/manual/</filename> has moved to <filename class="directory">/usr/share/httpd/manual/</filename>. This directory, contained in the <package>httpd-manual</package> package, contains the HTML version of the manual for <systemitem class="daemon">httpd</systemitem>. Available at <literal>http://localhost/manual/</literal> if the package is installed, via <literal>/etc/httpd/conf.d/manual.conf</literal>.</para>
+ <filename>/usr/share/httpd/manual/</filename> — The <filename class="directory">/var/www/manual/</filename> has moved to <filename class="directory">/usr/share/httpd/manual/</filename>. This directory, contained in the <package>httpd-manual</package> package, contains the HTML version of the manual for <systemitem class="daemon">httpd</systemitem>. Available at <literal>http://localhost/manual/</literal> if the package is installed, the location and the availability of the manual is configurable in the <literal>/etc/httpd/conf.d/manual.conf</literal> file.</para>
</listitem>
<listitem>
<para>
- <synopsis>/usr/share/httpd/error/</synopsis>
- The <filename class="directory">/var/www/error/</filename> has moved to <filename class="directory">/usr/share/httpd/error/</filename>. Custom multi-language HTTP error pages. Not configured by default, the example configuration file is provided at <filename>/usr/share/doc/httpd-<replaceable>VERSION</replaceable>/httpd-multilang-errordoc.conf</filename>.
+ <filename>/usr/share/httpd/error/</filename> — The <filename class="directory">/var/www/error/</filename> has moved to <filename class="directory">/usr/share/httpd/error/</filename>. Custom multi-language HTTP error pages. Not configured by default, the example configuration file is provided at <filename>/usr/share/doc/httpd-<replaceable>VERSION</replaceable>/httpd-multilang-errordoc.conf</filename>.
</para>
</listitem>
@@ -182,7 +180,7 @@ The configuration directives used to control authentication, authorization and a
<term>suexec</term>
<listitem>
<para>
-To improve system security, the <application>suexec</application> binary is no longer installed <literal>setuid root</literal>; instead, it has file system capability bits set which allow a more restrictive set of permissions. In conjunction with this change, the <application>suexec</application> binary no longer uses the <filename>/var/log/httpd/suexec.log</filename> logfile. Instead, log messages are sent to <application>syslog</application>; by default these will appear in the <filename>/var/log/secure</filename> log file.
+To improve system security, the <application>suexec</application> binary is no longer installed as if by the <systemitem class="username">root</systemitem> user; instead, it has file system capability bits set which allow a more restrictive set of permissions. In conjunction with this change, the <application>suexec</application> binary no longer uses the <filename>/var/log/httpd/suexec.log</filename> logfile. Instead, log messages are sent to <application>syslog</application>; by default these will appear in the <filename>/var/log/secure</filename> log file.
</para>
</listitem>
</varlistentry>
@@ -190,7 +188,7 @@ To improve system security, the <application>suexec</application> binary is no l
<term>Module Interface</term>
<listitem>
<para>
-Due to changes to the <systemitem class="daemon">httpd</systemitem> module interface, <application>httpd 2.4</application> is not compatible with third-party binary modules built against <application>httpd 2.2</application>. Such modules will need to be adjusted as necessary for the <application>httpd 2.4</application> module interface, and then rebuilt. A detailed list of the API changes in version <literal>2.4</literal> is available here: <ulink url="http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html" />.
+Third-party binary modules built against <application>httpd 2.2</application> are not compatible with <application>httpd 2.4</application> due to changes to the <systemitem class="daemon">httpd</systemitem> module interface. Such modules will need to be adjusted as necessary for the <application>httpd 2.4</application> module interface, and then rebuilt. A detailed list of the API changes in version <literal>2.4</literal> is available here: <ulink url="http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html" />.
</para>
<para>
The <application>apxs</application> binary used to build modules from source has moved from <filename>/usr/sbin/apxs</filename> to <filename>/usr/bin/apxs</filename>.
@@ -204,7 +202,7 @@ The <application>apxs</application> binary used to build modules from source has
List of <systemitem class="daemon">httpd</systemitem> modules removed in &MAJOROSVER;:
<variablelist>
<varlistentry>
- <term>mod_auth_mysql, mod_auth_pgsql</term>
+ <term>mod_auth_mysql, mod_auth_pgsql</term>
<listitem>
<para>
<application>httpd 2.4</application> provides SQL database authentication support internally in the <application>mod_authn_dbd</application> module.
@@ -212,7 +210,7 @@ List of <systemitem class="daemon">httpd</systemitem> modules removed in &MAJORO
</listitem>
</varlistentry>
<varlistentry>
- <term>mod_perl</term>
+ <term>mod_perl</term>
<listitem>
<para>
<application>mod_perl</application> is not officially supported with <application>httpd 2.4</application> by upstream.
@@ -220,10 +218,10 @@ List of <systemitem class="daemon">httpd</systemitem> modules removed in &MAJORO
</listitem>
</varlistentry>
<varlistentry>
- <term>mod_authz_ldap</term>
+ <term>mod_authz_ldap</term>
<listitem>
<para>
- <application>httpd 2.4</application> provides LDAP support internally using <application>mod_authnz_ldap</application>.
+ <application>httpd 2.4</application> provides LDAP support in sub-package <package>mod_ldap</package> using <application>mod_authnz_ldap</application>.
</para>
</listitem>
</varlistentry>
@@ -275,7 +273,7 @@ List of <systemitem class="daemon">httpd</systemitem> modules removed in &MAJORO
<para>
Note that you can check the configuration for possible errors by using the following command:
</para>
- <screen>~]# <command>apachectl configtest</command>
+ <screen>~]# <command>apachectl configtest</command>
Syntax OK</screen>
<para>
For more information on upgrading the Apache HTTP Server configuration from version 2.2 to 2.4, see <ulink url="http://httpd.apache.org/docs/2.4/upgrading.html"/>.
@@ -286,7 +284,7 @@ Syntax OK</screen>
<para>
This section describes how to start, stop, restart, and check the current status of the Apache HTTP Server. To be able to use the <systemitem class="service">httpd</systemitem> service, make sure you have the <package>httpd</package> installed. You can do so by using the following command:
</para>
- <screen>~]# <command>yum install httpd</command></screen>
+ <screen>~]# <command>yum install httpd</command></screen>
<para>
For more information on the concept of targets and how to manage system services in &MAJOROS; in general, see <remark>link to systemd section when ready</remark> <xref linkend="ch-Services_and_Daemons" />.
</para>
@@ -299,11 +297,11 @@ Syntax OK</screen>
<para>
To run the <systemitem class="service">httpd</systemitem> service, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>systemctl start httpd.service</command></screen>
+ <screen>~]# <command>systemctl start httpd.service</command></screen>
<para>
- If you want the service to start automatically at the boot time, use the following command:
+ If you want the service to start automatically at boot time, use the following command:
</para>
- <screen>~]# <command>systemctl enable httpd.service</command>
+ <screen>~]# <command>systemctl enable httpd.service</command>
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'</screen>
<note>
<title>Using the secure server</title>
@@ -342,7 +340,7 @@ rm '/etc/systemd/system/multi-user.target.wants/httpd.service'</screen>
<para>
To restart the service completely, enter the following command as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>systemctl restart httpd.service</command></screen>
+ <screen>~]# <command>systemctl restart httpd.service</command></screen>
<para>
This stops the running <systemitem class="service">httpd</systemitem> service and immediately starts it again. Use this command after installing or removing a dynamically loaded module such as PHP.
</para>
@@ -351,18 +349,18 @@ rm '/etc/systemd/system/multi-user.target.wants/httpd.service'</screen>
<para>
To only reload the configuration, as <systemitem class="username">root</systemitem>, type:
</para>
- <screen>~]# <command>systemctl reload httpd.service</command></screen>
+ <screen>~]# <command>systemctl reload httpd.service</command></screen>
<para>
- This causes the running <systemitem class="service">httpd</systemitem> service to reload its configuration file. Any requests being currently processed will be interrupted, which may cause a client browser to display an error message or render a partial page.
+ This causes the running <systemitem class="service">httpd</systemitem> service to reload its configuration file. Any requests currently being processed will be interrupted, which may cause a client browser to display an error message or render a partial page.
</para>
</listitem>
<listitem>
<para>
To reload the configuration without affecting active requests, enter the following command as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>service httpd graceful</command></screen>
+ <screen>~]# <command>apachectl graceful</command></screen>
<para>
- This cause the running <systemitem class="service">httpd</systemitem> service to reload its configuration file. Any requests being currently processed will use the old configuration.
+ This causes the running <systemitem class="service">httpd</systemitem> service to reload its configuration file. Any requests currently being processed will continue to use the old configuration.
</para>
</listitem>
</orderedlist>
@@ -379,7 +377,7 @@ rm '/etc/systemd/system/multi-user.target.wants/httpd.service'</screen>
<para>
To verify that the <systemitem class="service">httpd</systemitem> service is running, type the following at a shell prompt:
</para>
- <screen>~]# <command>systemctl is-active httpd.service</command>
+ <screen>~]# <command>systemctl is-active httpd.service</command>
active</screen>
</section>
</section>
@@ -443,7 +441,7 @@ active</screen>
<para>
To check the configuration for possible errors, type the following at a shell prompt:
</para>
- <screen>~]# <command>apachectl configtest</command>
+ <screen>~]# <command>apachectl configtest</command>
Syntax OK</screen>
<para>
To make the recovery from mistakes easier, it is recommended that you make a copy of the original file before editing it.
@@ -3767,14 +3765,14 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<para>
If you intend to create a new DSO module, make sure you have the <package>httpd-devel</package> package installed. To do so, enter the following command as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>yum install httpd-devel</command></screen>
+ <screen>~]# <command>yum install httpd-devel</command></screen>
<para>
This package contains the include files, the header files, and the <application>APache eXtenSion</application> (<command>apxs</command>) utility required to compile a module.
</para>
<para>
Once written, you can build the module with the following command:
</para>
- <screen>~]# <command>apxs -i -a -c <replaceable>module_name</replaceable>.c</command></screen>
+ <screen>~]# <command>apxs -i -a -c <replaceable>module_name</replaceable>.c</command></screen>
<para>
If the build was successful, you should be able to load the module the same way as any other module that is distributed with the Apache HTTP Server.
</para>
@@ -3791,7 +3789,7 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<see><application>Apache HTTP Server</application></see>
</indexterm>
<para>
- The Apache HTTP Server's built in virtual hosting allows the server to provide different information based on which IP address, hostname, or port is being requested.
+ The Apache HTTP Server's built in virtual hosting allows the server to provide different information based on which IP address, host name, or port is being requested.
</para>
<para>
To create a name-based virtual host, copy the example configuration file <filename>/usr/share/doc/httpd-<replaceable>VERSION</replaceable>/httpd-vhosts.conf</filename> into the <filename class="directory">/etc/httpd/conf.d/</filename> directory, and replace the <literal>@@Port@@</literal> and <literal>@@ServerRoot@@</literal> placeholder values. Customize the options according to your requirements as shown in <xref linkend="example-apache-virtualhosts-config"/>.
@@ -3882,10 +3880,10 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<tertiary>certificate authority</tertiary>
</indexterm>
<para>
- To provide secure communications using SSL, an SSL server must use a digital certificate signed by a <firstterm>Certificate Authority</firstterm> (<acronym>CA</acronym>). The certificate lists various attributes of the server (that is, the server hostname, the name of the company, its location, etc.), and the signature produced using the CA's private key. This signature ensures that a particular certificate authority has issued the certificate, and that the certificate has not been modified in any way.
+ To provide secure communications using SSL, an SSL server must use a digital certificate signed by a <firstterm>Certificate Authority</firstterm> (<acronym>CA</acronym>). The certificate lists various attributes of the server (that is, the server host name, the name of the company, its location, etc.), and the signature produced using the CA's private key. This signature ensures that a particular certificate authority has signed the certificate, and that the certificate has not been modified in any way.
</para>
<para>
- When a web browser establishes a new SSL connection, it checks the certificate provided by the web server. If the certificate does not have a signature from a trusted CA, or if the hostname listed in the certificate does not match the hostname used to establish the connection, it refuses to communicate with the server and usually presents a user with an appropriate error message.
+ When a web browser establishes a new SSL connection, it checks the certificate provided by the web server. If the certificate does not have a signature from a trusted CA, or if the host name listed in the certificate does not match the host name used to establish the connection, it refuses to communicate with the server and usually presents a user with an appropriate error message.
</para>
<para>
By default, most web browsers are configured to trust a set of widely used certificate authorities. Because of this, an appropriate CA should be chosen when setting up a secure server, so that target users can trust the connection, otherwise they will be presented with an error message, and will have to accept the certificate manually. Since encouraging users to override certificate errors can allow an attacker to intercept the connection, you should use a trusted CA whenever possible. For more information on this, see <xref linkend="table-apache-mod_ssl-certificates-authorities" />.
@@ -3947,7 +3945,7 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<para>
If you intend to set up an SSL server, make sure you have the <package>mod_ssl</package> (the <systemitem class="resource">mod_ssl</systemitem> module) and <package>openssl</package> (the OpenSSL toolkit) packages installed. To do so, enter the following command as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>yum install mod_ssl openssl</command></screen>
+ <screen>~]# <command>yum install mod_ssl openssl</command></screen>
<indexterm>
<primary><application>Apache HTTP Server</application></primary>
<secondary>files</secondary>
@@ -3996,8 +3994,8 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<para>
If you want to use an existing key and certificate, move the relevant files to the <filename class="directory">/etc/pki/tls/private/</filename> and <filename class="directory">/etc/pki/tls/certs/</filename> directories respectively. You can do so by issuing the following commands as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>mv</command> <filename><replaceable>key_file</replaceable>.key</filename> <filename>/etc/pki/tls/private/<replaceable>hostname</replaceable>.key</filename>
-~]# <command>mv</command> <filename><replaceable>certificate</replaceable>.crt</filename> <filename>/etc/pki/tls/certs/<replaceable>hostname</replaceable>.crt</filename></screen>
+ <screen>~]# <command>mv</command> <filename><replaceable>key_file</replaceable>.key</filename> <filename>/etc/pki/tls/private/<replaceable>hostname</replaceable>.key</filename>
+~]# <command>mv</command> <filename><replaceable>certificate</replaceable>.crt</filename> <filename>/etc/pki/tls/certs/<replaceable>hostname</replaceable>.crt</filename></screen>
<para>
Then add the following lines to the <filename>/etc/httpd/conf.d/ssl.conf</filename> configuration file:
</para>
@@ -4007,9 +4005,9 @@ SSLCertificateKeyFile /etc/pki/tls/private/<replaceable>hostname</replaceable>.k
To load the updated configuration, restart the <systemitem class="service">httpd</systemitem> service as described in <xref linkend="s3-apache-running-restarting" />.
</para>
<example id="example-apache-mod_ssl-keypair">
- <title>Using a key and certificate from the Red Hat Secure Web Server</title>
- <screen>~]# <command>mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/penguin.example.com.key</command>
-~]# <command>mv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/penguin.example.com.crt</command></screen>
+ <title>Using a key and certificate from the Red Hat Secure Web Server</title>
+ <screen>~]# <command>mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/penguin.example.com.key</command>
+~]# <command>mv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/penguin.example.com.crt</command></screen>
</example>
</section>
<section id="s3-apache-mod_ssl-genkey">
@@ -4025,30 +4023,30 @@ SSLCertificateKeyFile /etc/pki/tls/private/<replaceable>hostname</replaceable>.k
<tertiary>certificate</tertiary>
</indexterm>
<para>
- In order to generate a new key and certificate pair, you must to have the <package>crypto-utils</package> package installed on your system. As <systemitem class="username">root</systemitem>, it can be installed by entering the following command:
+ In order to generate a new key and certificate pair, the <package>crypto-utils</package> package must be installed on the system. To install it, enter the following command as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>yum install crypto-utils</command></screen>
+ <screen>~]# <command>yum install crypto-utils</command></screen>
<para>
- This package provides a set of tools to generate and manage SSL certificates and private keys, and includes <application>genkey</application>, the Red Hat Keypair Generation utility that will guide you through the key generation process.
+ This package provides a set of tools to generate and manage SSL certificates and private keys, and includes <application>genkey</application>, the Red Hat Keypair Generation utility that will guide you through the key generation process.
</para>
<important>
<title>Replacing an existing certificate</title>
<para>
If the server already has a valid certificate and you are replacing it with a new one, specify a different serial number. This ensures that client browsers are notified of this change, update to this new certificate as expected, and do not fail to access the page. To create a new certificate with a custom serial number, use the following command instead of <application>genkey</application>:
</para>
- <screen>~]# <command>openssl req -x509 -new -set_serial <replaceable>number</replaceable> -key <replaceable>hostname</replaceable>.key -out <replaceable>hostname</replaceable>.crt</command></screen>
+ <screen>~]# <command>openssl req -x509 -new -set_serial <replaceable>number</replaceable> -key <replaceable>hostname</replaceable>.key -out <replaceable>hostname</replaceable>.crt</command></screen>
</important>
<note>
<title>Remove a previously created key</title>
<para>
- If there already is a key file for a particular host name on your system, <application>genkey</application> will refuse to start. In this case, remove the existing file using the following command as <systemitem class="username">root</systemitem>:
+ If there already is a key file for a particular host name in your system, <application>genkey</application> will refuse to start. In this case, remove the existing file using the following command as <systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>rm /etc/pki/tls/private/<replaceable>hostname</replaceable>.key</command></screen>
+ <screen>~]# <command>rm /etc/pki/tls/private/<replaceable>hostname</replaceable>.key</command></screen>
</note>
<para>
- To run the utility, as <systemitem class="username">root</systemitem>, enter the <command>genkey</command> command followed by the appropriate host name (for example, <systemitem class="domainname">penguin.example.com</systemitem>):
+ To run the utility, use the <command>genkey</command> command followed by the appropriate host name (for example, <systemitem class="domainname">penguin.example.com</systemitem>):
</para>
- <screen>~]# <command>genkey</command> <replaceable>hostname</replaceable></screen>
+ <screen>~]# <command>genkey</command> <replaceable>hostname</replaceable></screen>
<para>
To complete the key and certificate creation, take the following steps:
</para>
@@ -4076,7 +4074,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/<replaceable>hostname</replaceable>.k
</step>
<step>
<para>
- Using the <keycap>Up</keycap> and <keycap>down</keycap> arrow keys, select the suitable key size. Note that while the large key increases the security, it also increases the response time of your server. The NIST recommends using <literal>2048 bits</literal>. See <ulink url="http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf"><citetitle pubwork="book">NIST Special Publication 800-131A</citetitle></ulink>.
+ Using the <keycap>up</keycap> and <keycap>down</keycap> arrow keys, select a suitable key size. Note that while a larger key increases the security, it also increases the response time of your server. The NIST recommends using <literal>2048 bits</literal>. See <ulink url="http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf"><citetitle pubwork="book">NIST Special Publication 800-131A</citetitle></ulink>.
</para>
<figure id="figure-apache-mod_ssl-genkey-02">
<title>Selecting the key size</title>
More information about the docs-commits
mailing list